Risks & opportunities
We balance risks and their impact with the opportunities and advantages they offer. This allows us to maximize the benefits of a risk while minimizing the consequences.
Risk culture
Risks can occur anywhere in the organization. So it is important that every Coolbluer is aware of risks and can identify them. This is why every Coolbluer is responsible for managing their own risks. They are supported in this by our Risk & Internal Control, Tax, Safety, Security & Fraud, Tech Security, Finance, and Legal departments. The ultimate responsibility for risks is borne by the Management Board. This approach allows us to create a culture in which risk management stays top of mind throughout the organization and in which risks are managed when and where they occur through detection, prevention, and correction.
Internal guidelines
To provide Coolbluers with the means to decide how to go about a risk, we have various internal policies in place, which are in part based on external regulation. These policies are written in an honest, direct, and open manner and are easily available to every Coolbluer in multiple languages. We periodically review these policies to ensure they continue to meet legislative demands. Examples of our internal guidelines are:
- The Workguide (the employee guidebook);
- The Friend Code (our code of conduct);
- How can Coolblue help me with undesirable situations? (our whistleblower policy);
- What happens if I cheat? (our anti-fraud policy); and
- What if I don’t stick to the Coolblue agreements? (our disciplinary policy).
Increasing awareness
We make an effort to maintain a consistently high level of risk awareness. We actively involve Coolbluers in our risk management processes. As a result, we gain a current and accurate view of what is at play in the organization and we can manage our risks effectively. To further support Coolbluers in this, we offer e-learning modules and training courses that address topics such as information and cyber security, the GDPR, labor law, competition law, tax law, and integrity. In 2025, we implemented a mandatory AI literacy training course for all our office colleagues.
Risk profile summary
We identified the risks that could impact the realization of our strategic goals and profiled them accordingly.
Risk identification & assessment
Our risk management focuses on 4 categories: strategic risks, operational risks, finance & reporting risks, and compliance risks. To create a risk profile for each risk, we have conducted various top-down and bottom-up risk assessments. We then prioritized the most relevant risks in yearly Strategic Risk Assessment with managers and the Management Board. These results have been discussed with both the Audit Committee and the Supervisory Board.
In 2025, we identified and profiled 11 risks, the same amount as in 2024. We merged the risks ‘Competition’ and ‘ Economic conditions’, as the two started to overlap increasingly more every year. To underline the importance of strategic partner collaboration, we introduced a new risk: ‘Key commercial partnerships’. We have rated all risks on a 5-point scale, based on their likelihood, impact, and our risk appetite. These ratings vary slightly compared to 2024.
Likelihood
Likelihood is the first scale on which we rate a risk. It defines the probability that a risk will occur within 2 years.
Impact
Impact forms the second scale on which we rate a risk. Here, we assess to what extent a risk would negatively affect the achievement of our goals, promises, and ambitions.
Risk appetite
The third and final scale, risk appetite, defines our willingness to run or take a risk. The lower our appetite for a risk, the stricter our measures have to be to manage it. On the other hand, we sometimes need to adopt a higher risk appetite to achieve our strategic goals.
Strategic risks
1. Reputation
Coolblue has a strong reputation. We want to uphold this reputation and prevent any damage to it, as this could negatively influence our business. At the same time, we have a desire to grow. We want to expand our business internationally and for example through exclusive brands. This means we constantly look for a balance between our growth plans and the risk exposure they entail. In Germany specifically, we have been growing and strengthening our brand throughout 2025. Our assessment of this risk remains unchanged compared to 2024.
2. Key commercial partnerships
As we expand in Germany and face new entrants in the Dutch and Belgian markets, strong local and cross-border partners are critical. To solidify our overall position in our existing markets and ensure we keep growing, we continue to invest in our commercial partnerships. They enable us to offer competitive assortment and terms, and ensure availability of products and services. All the while, they also enable us to quickly respond on pricing, promotions, and supply. Because this risk was newly introduced in 2025, we have no assessment from previous years to compare it to.
3. Economic conditions
Because Coolblue operates in multiple markets, we are subject to various conditions on national and international scales. Some of these circumstances also directly affect our customers, who adjust their spending choices accordingly. Over 2025, we saw further stabilization in inflation and in consumer confidence. However, competition in e-commerce remains severe and other economic conditions, such as tariffs, may present a potential impact on our business in the future. Because these conditions remain uncertain, we closely monitor them to allow proactive mitigation. In doing so, we stabilize their likelihood and impact on our risk profile.
Operational risks
4. Information security & data privacy
Ensuring the safety of our data and technology is vital to Coolblue. As a result of our growth and automation strategy, we rely more strongly on information systems. This makes the potential impact of this risk larger. We minimize its likelihood by constantly improving our cyber and information security controls, for example by performing regular third-party risk assessments when and where needed. Additionally, we do everything in our power to secure our (customer) data, prevent hacks and data leaks, and minimize the impact an incident may have. For all AI developments within Coolblue, our Privacy Officer is involved to ensure we fully comply with all relevant privacy legislation. To summarize, we have mitigating measures in place that counteract increases in impact scope and likelihood. As a result, our assessment of this risk remains unchanged.
5. Availability of systems & critical processes
We constantly apply optimizations in our operations, such as automation and mechanization in our warehouse. As a result, our dependency on technology increases. The impact of disruptions also increases, for instance in our automated picking process, which due to the automation cannot always be fully mitigated through manual efforts. To minimize the chances of this happening, we review our critical operations, dependencies on suppliers, and continuity and fallback procedures. For each, we identify our critical operations and risks. This allows us to minimize the odds of a disruption and the downtime that would follow. At the same time, we optimize how quickly we can restore our operations. Due to the increased dependency on technology, we identified an increased impact for this risk in 2025.
6. Stock management
Stock management risks come in 2 categories: excess stock and insufficient stock. To minimize both, we use algorithms that calculate the expected sales patterns every day, which we align our purchasing and warehousing activities to. This way, we can order the optimal number of products at all times and closely monitor our stock health. With our increased efforts in exclusive brand products, this became even more important in 2025. Simultaneously, we have enhanced the algorithms, forecasts, and reporting on stock levels to further decrease risks of future excess and insufficient stock.
7. Supply chain continuity
Our business depends on 2 factors: the availability of products and their components, and our ability to deliver them to our customers. We make an effort to safeguard continuity of both. By working very closely with our suppliers, we guarantee a constant supply and use our strong financial structure to realize this. We want to mitigate the risks of single country dependency, varying availability, and trade barriers due to international influences. We do so by ensuring that we live up to our delivery promise through our own delivery propositions and by closely collaborating with our delivery partners. As a result, we see no significant change in this risk compared to our assessment in 2024.
8. Attract and retain qualified Coolbluers
Qualified and talented Coolbluers are key to our success. That is why we are always happy to welcome new Coolbluers and help them build their career within Coolblue. We enable them to focus their attention on where it is of truly added value, because we understand how Coolbluers and mechanization complement each other. This way, we strive for operational excellence with a focus on making customer journeys simply amazing.
Competition for skilled personnel remains high. To keep Coolbluers engaged, we offer careers rather than jobs, in which we help them continuously refine their skillset. For example, we offer them various training courses at our in-house training facilities. This way, we actively help them build their career within Coolblue. By having mechanization and human attention complement each other, we established a decrease in the likelihood of risks in this category occurring.
9. Health, safety, and environment
The health and safety of our Coolbluers is of the highest importance to us. To safeguard both, we have procedures in place that outline in detail how to act in certain situations. As we continue to diversify in the products and services we offer, we also place strong emphasis on the safety of the Coolbluers who carry out the physical component of these new propositions. We actively provide training courses with best safety practices, ensuring our Coolbluers can safely and securely perform their tasks.
Our concern for health and safety extends beyond just Coolbluers. We provide clear instructions to our suppliers and regularly perform product safety testing and manufacturer inspections to ensure we comply with safety standards and regulations.
Finance & reporting risk
10. Finance and liquidity
Coolblue maintains a solid financial position with sufficient liquidity to fund ongoing operations and strategic investments. These are financed by our operating cash flow, a negative working capital, bank facilities and reinvestment of our profits. Thanks to our underlying debtor management, stock management, and treasury processes, we are always able to meet our payment obligations. We consistently monitor our exposure and liquidity to minimize the risk and have sufficient cash and credit lines available. Operating in the energy supply business includes related sourcing risks, collateral risks, and credit risks on suppliers. We manage these risks through strong monitoring and scenario planning, and they are further mitigated by our strong cash position. As a result, the likelihood and impact of financial and liquidity risks actually occurring are unchanged.
Compliance risk
11. Regulatory compliance
We continue to grow and expand in other countries and markets, such as Germany and the Dutch energy market. Additionally, we continue to develop our exclusive brands. As a result, there is an increasing amount of existing legislation we need to adhere to. At the same time, we want to ensure our full compliance with all future governing legislation, such as the NIS2, European AI Act, and CSRD.
We have a zero-tolerance approach to bribery, corruption, fraud, and any other form of (illegal) misconduct. This is strongly highlighted in our code of conduct and other guidelines. We also offer mandatory training courses that are geared to the relevant legislation within departments. This further ensures our consistent compliance.
In 2025, we have further matured our risk management by developing Key Risk Indicators. They allow the monitoring of the domains’ risk management maturity and cross-domain comparison. In addition, we matured our internal risk and control system through formal documentation thereof.
We also started the integration of department level risk and control matrices into an integrated control framework in which strategic, financial, IT, operational, and compliance risks come together. By adopting an end-to-end focus on financial processes we make it possible to shift our focus to high-risk topics within these processes.
Cybersecurity
In 2025, we focused on maturing our cyber resilience through both culture and technology. We expanded our existing training initiatives by launching a revitalized, company-wide security awareness program, ensuring every employee is equipped to be a first line of defense.
To validate our incident readiness, we successfully executed a cybersecurity crisis simulation designed to re-evaluate our existing incident response processes and strengthen board-level decision making. Furthermore, we enhanced our technological capabilities by investing in Threat Intelligence and Threat Prevention, enabling us to move beyond monitoring and into proactive threat identification and mitigation.
Fraud Detection and Prevention
To further prevent fraud throughout our organization in 2025, we improved dashboarding, monitoring, and flagging. For example, we critically assessed the parameters of the machine learning of our smart payment fraud model, which led us to place more emphasis on fraudulent data. By adjusting data at country level, we achieved higher accuracy. At domain level, we reviewed and migrated processes and instructions to increase signalling and minimize fraud impact. Our Fraud & Loss Prevention Experts, supported by enhanced tools, in combination with better service level agreements from our partners, can now evaluate, process, and detect much more efficiently.
Safeguarding privacy
We have an unceasing focus on the protection of data, both our own and our customers’. To ensure that this remains top of mind for each and every Coolbluer, we will continue to further develop existing educational courses and roll out training courses that are tailored to our specific domains. In addition, we will continue to monitor new and existing processes to identify potential improvements and to further ensure the safety of information we store. Lastly, we keep a close eye on, among other things, changing legislation to ensure our compliance.
Looking ahead
We are pleased with the steps we took in 2025 to improve our risk management and internal control framework. With the creation of Key Risk Indicators, we created uniform reporting and enabled cross-domain internal control comparison. Additionally, we laid the foundation to further enhance our integrated risk framework in 2026 by bringing together the various risk types. We will also research possibilities of implementing new GRC tooling, enabling risk management on an integrated enterprise level. Lastly, we will map out what our focus on further mechanization will entail, thereby also focusing on future availability and continuity of systems and processes.
